Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP4:Update
gnutls.33311
gnutls-Remove-3DES-from-FIPS-approved-algos.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gnutls-Remove-3DES-from-FIPS-approved-algos.patch of Package gnutls.33311
From 4f43efcd5a8fbdcf79f12cb98019d98629844091 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich <zfridric@redhat.com> Date: Wed, 6 Apr 2022 15:33:32 +0200 Subject: [PATCH] Remove 3DES from FIPS approved algorithms. According to the section 2 of SP800-131A Rev.2, 3DES algorithm will be disallowed for encryption after December 31, 2023: https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final Signed-off-by: Zoltan Fridrich <zfridric@redhat.com> --- NEWS | 5 +++++ lib/crypto-selftests.c | 2 +- lib/fips.h | 1 - tests/dtls1-2-mtu-check.c | 6 ++++-- tests/key-openssl.c | 3 +++ tests/mini-overhead.c | 8 +++++--- tests/pkcs11/gnutls_pcert_list_import_x509_file.c | 3 +++ tests/pkcs11/gnutls_x509_crt_list_import_url.c | 3 +++ tests/pkcs11/pkcs11-chainverify.c | 3 +++ tests/pkcs11/pkcs11-combo.c | 3 +++ tests/pkcs11/pkcs11-ec-privkey-test.c | 3 +++ tests/pkcs11/pkcs11-get-issuer.c | 3 +++ tests/pkcs11/pkcs11-import-with-pin.c | 3 +++ tests/pkcs11/pkcs11-is-known.c | 3 +++ tests/pkcs11/pkcs11-obj-import.c | 3 +++ tests/pkcs11/pkcs11-privkey-generate.c | 3 +++ tests/pkcs11/pkcs11-privkey.c | 3 +++ tests/pkcs11/pkcs11-pubkey-import.c | 3 +++ tests/pkcs11/pkcs11-rsa-pss-privkey-test.c | 3 +++ tests/pkcs11/tls-neg-pkcs11-key.c | 3 +++ tests/pkcs11/tls-neg-pkcs11-no-key.c | 3 +++ tests/pkcs12_encode.c | 3 +++ tests/pkcs12_s2k_pem.c | 3 +++ tests/rsa-illegal-import.c | 3 +++ tests/slow/cipher-api-test.c | 2 +- tests/tls10-cipher-neg.c | 4 ++++ tests/tls11-cipher-neg.c | 4 ++++ tests/tls12-cipher-neg.c | 4 ++++ tests/tls13/post-handshake-with-cert-pkcs11.c | 3 +++ 32 files changed, 103 insertions(+), 8 deletions(-) Index: gnutls-3.7.3/lib/crypto-selftests.c =================================================================== --- gnutls-3.7.3.orig/lib/crypto-selftests.c +++ gnutls-3.7.3/lib/crypto-selftests.c @@ -2715,7 +2715,7 @@ int gnutls_cipher_self_test(unsigned fla CASE(GNUTLS_CIPHER_AES_256_CBC, test_cipher, aes256_cbc_vectors); FALLTHROUGH; - CASE(GNUTLS_CIPHER_3DES_CBC, test_cipher, + NON_FIPS_CASE(GNUTLS_CIPHER_3DES_CBC, test_cipher, tdes_cbc_vectors); FALLTHROUGH; NON_FIPS_CASE(GNUTLS_CIPHER_ARCFOUR_128, test_cipher, Index: gnutls-3.7.3/lib/fips.h =================================================================== --- gnutls-3.7.3.orig/lib/fips.h +++ gnutls-3.7.3/lib/fips.h @@ -118,7 +118,6 @@ is_cipher_algo_approved_in_fips(gnutls_c case GNUTLS_CIPHER_AES_192_CBC: case GNUTLS_CIPHER_AES_128_CCM: case GNUTLS_CIPHER_AES_256_CCM: - case GNUTLS_CIPHER_3DES_CBC: case GNUTLS_CIPHER_AES_128_CCM_8: case GNUTLS_CIPHER_AES_256_CCM_8: case GNUTLS_CIPHER_AES_128_CFB8: Index: gnutls-3.7.3/tests/dtls1-2-mtu-check.c =================================================================== --- gnutls-3.7.3.orig/tests/dtls1-2-mtu-check.c +++ gnutls-3.7.3/tests/dtls1-2-mtu-check.c @@ -205,7 +205,8 @@ void doit(void) dtls_mtu_try("DTLS 1.2 with AES-128-CBC-HMAC-SHA1 - mtu:1536", "NORMAL:%NO_ETM:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+AES-128-CBC:-MAC-ALL:+SHA1", 1536, 1483); dtls_mtu_try("DTLS 1.2 with AES-128-CBC-HMAC-SHA256", "NORMAL:%NO_ETM:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+AES-128-CBC:-MAC-ALL:+SHA256", 1500, 1423); - dtls_mtu_try("DTLS 1.2 with 3DES-CBC-HMAC-SHA1", "NORMAL:%NO_ETM:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+3DES-CBC:-MAC-ALL:+SHA1", 1500, 1451); + if (!gnutls_fips140_mode_enabled()) + dtls_mtu_try("DTLS 1.2 with 3DES-CBC-HMAC-SHA1", "NORMAL:%NO_ETM:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+3DES-CBC:-MAC-ALL:+SHA1", 1500, 1451); /* check non-CBC ciphers */ dtls_mtu_try("DTLS 1.2 with AES-128-GCM", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+AES-128-GCM", 1500, 1463); @@ -234,7 +235,8 @@ void doit(void) dtls_mtu_try("DTLS 1.2 with AES-128-CBC-HMAC-SHA1 - mtu:1518", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+AES-128-CBC:-MAC-ALL:+SHA1", 1518, 1455); dtls_mtu_try("DTLS 1.2/EtM with AES-128-CBC-HMAC-SHA256", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+AES-128-CBC:-MAC-ALL:+SHA256", 1500, 1423); - dtls_mtu_try("DTLS 1.2/EtM with 3DES-CBC-HMAC-SHA1", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+3DES-CBC:-MAC-ALL:+SHA1", 1500, 1455); + if (!gnutls_fips140_mode_enabled()) + dtls_mtu_try("DTLS 1.2/EtM with 3DES-CBC-HMAC-SHA1", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-CIPHER-ALL:+3DES-CBC:-MAC-ALL:+SHA1", 1500, 1455); gnutls_global_deinit(); } Index: gnutls-3.7.3/tests/key-openssl.c =================================================================== --- gnutls-3.7.3.orig/tests/key-openssl.c +++ gnutls-3.7.3/tests/key-openssl.c @@ -115,6 +115,9 @@ void doit(void) int ret; gnutls_datum_t key; + if (gnutls_fips140_mode_enabled()) + exit(77); + ret = global_init(); if (ret < 0) fail("global_init: %d\n", ret); Index: gnutls-3.7.3/tests/mini-overhead.c =================================================================== --- gnutls-3.7.3.orig/tests/mini-overhead.c +++ gnutls-3.7.3/tests/mini-overhead.c @@ -328,9 +328,11 @@ void doit(void) 65); /* 13 + 20(sha1) + 8(iv) + 8(max pad) */ - start - ("NONE:+VERS-DTLS1.0:+3DES-CBC:%NO_ETM:+SHA1:+SIGN-ALL:+COMP-NULL:+RSA", - 49); + if (!gnutls_fips140_mode_enabled()) + start + ("NONE:+VERS-DTLS1.0:+3DES-CBC:%NO_ETM:+SHA1:+SIGN-ALL:+COMP-NULL:+RSA", + 49); + /* 13 + 16(tag) + 4(iv) */ start ("NONE:+VERS-DTLS1.2:+AES-128-GCM:%NO_ETM:+AEAD:+SIGN-ALL:+COMP-NULL:+RSA", Index: gnutls-3.7.3/tests/pkcs11/gnutls_pcert_list_import_x509_file.c =================================================================== --- gnutls-3.7.3.orig/tests/pkcs11/gnutls_pcert_list_import_x509_file.c +++ gnutls-3.7.3/tests/pkcs11/gnutls_pcert_list_import_x509_file.c @@ -149,6 +149,9 @@ void doit(void) unsigned int pcerts_size; char file[TMPNAME_SIZE]; + if (gnutls_fips140_mode_enabled()) + exit(77); + track_temp_files(); bin = softhsm_bin(); Index: gnutls-3.7.3/tests/pkcs11/gnutls_x509_crt_list_import_url.c =================================================================== --- gnutls-3.7.3.orig/tests/pkcs11/gnutls_x509_crt_list_import_url.c +++ gnutls-3.7.3/tests/pkcs11/gnutls_x509_crt_list_import_url.c @@ -130,6 +130,9 @@ void doit(void) gnutls_x509_crt_t *crts; unsigned int crts_size, i; + if (gnutls_fips140_mode_enabled()) + exit(77); + bin = softhsm_bin(); lib = softhsm_lib(); Index: gnutls-3.7.3/tests/pkcs11/pkcs11-chainverify.c =================================================================== --- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-chainverify.c +++ gnutls-3.7.3/tests/pkcs11/pkcs11-chainverify.c @@ -78,6 +78,9 @@ void doit(void) gnutls_typed_vdata_st vdata[2]; char buf[128]; + if (gnutls_fips140_mode_enabled()) + exit(77); + /* The overloading of time() seems to work in linux (ELF?) * systems only. Disable it on windows. */ Index: gnutls-3.7.3/tests/pkcs11/pkcs11-combo.c =================================================================== --- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-combo.c +++ gnutls-3.7.3/tests/pkcs11/pkcs11-combo.c @@ -217,6 +217,9 @@ void doit(void) unsigned verify_status = 0; gnutls_datum_t tmp; + if (gnutls_fips140_mode_enabled()) + exit(77); + /* The overloading of time() seems to work in linux (ELF?) * systems only. Disable it on windows. */ Index: gnutls-3.7.3/tests/pkcs11/pkcs11-ec-privkey-test.c =================================================================== --- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-ec-privkey-test.c +++ gnutls-3.7.3/tests/pkcs11/pkcs11-ec-privkey-test.c @@ -83,6 +83,9 @@ void doit(void) gnutls_pubkey_t pubkey4; unsigned i; + if (gnutls_fips140_mode_enabled()) + exit(77); + bin = softhsm_bin(); lib = softhsm_lib(); Index: gnutls-3.7.3/tests/pkcs11/pkcs11-get-issuer.c =================================================================== --- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-get-issuer.c +++ gnutls-3.7.3/tests/pkcs11/pkcs11-get-issuer.c @@ -85,6 +85,9 @@ void doit(void) gnutls_datum_t tmp; int idx = -1; + if (gnutls_fips140_mode_enabled()) + exit(77); + /* The overloading of time() seems to work in linux (ELF?) * systems only. Disable it on windows. */ Index: gnutls-3.7.3/tests/pkcs11/pkcs11-import-with-pin.c =================================================================== --- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-import-with-pin.c +++ gnutls-3.7.3/tests/pkcs11/pkcs11-import-with-pin.c @@ -83,6 +83,9 @@ void doit(void) gnutls_privkey_t pkey; char file[TMPNAME_SIZE]; + if (gnutls_fips140_mode_enabled()) + exit(77); + bin = softhsm_bin(); lib = softhsm_lib(); Index: gnutls-3.7.3/tests/pkcs11/pkcs11-is-known.c =================================================================== --- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-is-known.c +++ gnutls-3.7.3/tests/pkcs11/pkcs11-is-known.c @@ -352,6 +352,9 @@ void doit(void) gnutls_x509_crt_t intermediate, same_dn, same_issuer; gnutls_datum_t tmp; + if (gnutls_fips140_mode_enabled()) + exit(77); + /* The overloading of time() seems to work in linux (ELF?) * systems only. Disable it on windows. */ Index: gnutls-3.7.3/tests/pkcs11/pkcs11-obj-import.c =================================================================== --- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-obj-import.c +++ gnutls-3.7.3/tests/pkcs11/pkcs11-obj-import.c @@ -75,6 +75,9 @@ void doit(void) gnutls_datum_t tmp, tmp2; size_t buf_size; + if (gnutls_fips140_mode_enabled()) + exit(77); + bin = softhsm_bin(); lib = softhsm_lib(); Index: gnutls-3.7.3/tests/pkcs11/pkcs11-privkey-generate.c =================================================================== --- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-privkey-generate.c +++ gnutls-3.7.3/tests/pkcs11/pkcs11-privkey-generate.c @@ -85,6 +85,9 @@ void doit(void) unsigned flags; gnutls_pkcs11_obj_t obj; + if (gnutls_fips140_mode_enabled()) + exit(77); + ret = global_init(); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); Index: gnutls-3.7.3/tests/pkcs11/pkcs11-privkey.c =================================================================== --- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-privkey.c +++ gnutls-3.7.3/tests/pkcs11/pkcs11-privkey.c @@ -129,6 +129,9 @@ void doit(void) gnutls_certificate_credentials_t cred; gnutls_datum_t tmp; + if (gnutls_fips140_mode_enabled()) + exit(77); + /* The overloading of time() seems to work in linux (ELF?) * systems only. Disable it on windows. */ Index: gnutls-3.7.3/tests/pkcs11/pkcs11-pubkey-import.c =================================================================== --- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-pubkey-import.c +++ gnutls-3.7.3/tests/pkcs11/pkcs11-pubkey-import.c @@ -75,6 +75,9 @@ static void try(int rsa) gnutls_pubkey_t pubkey; gnutls_pubkey_t pubkey2; + if (gnutls_fips140_mode_enabled()) + exit(77); + bin = softhsm_bin(); lib = softhsm_lib(); Index: gnutls-3.7.3/tests/pkcs11/pkcs11-rsa-pss-privkey-test.c =================================================================== --- gnutls-3.7.3.orig/tests/pkcs11/pkcs11-rsa-pss-privkey-test.c +++ gnutls-3.7.3/tests/pkcs11/pkcs11-rsa-pss-privkey-test.c @@ -96,6 +96,9 @@ void doit(void) gnutls_pubkey_t pubkey2; unsigned i, sigalgo; + if (gnutls_fips140_mode_enabled()) + exit(77); + bin = softhsm_bin(); lib = softhsm_lib(); Index: gnutls-3.7.3/tests/pkcs11/tls-neg-pkcs11-key.c =================================================================== --- gnutls-3.7.3.orig/tests/pkcs11/tls-neg-pkcs11-key.c +++ gnutls-3.7.3/tests/pkcs11/tls-neg-pkcs11-key.c @@ -419,6 +419,9 @@ void doit(void) unsigned int i, have_eddsa; int ret; + if (gnutls_fips140_mode_enabled()) + exit(77); + #ifdef _WIN32 exit(77); #endif Index: gnutls-3.7.3/tests/pkcs11/tls-neg-pkcs11-no-key.c =================================================================== --- gnutls-3.7.3.orig/tests/pkcs11/tls-neg-pkcs11-no-key.c +++ gnutls-3.7.3/tests/pkcs11/tls-neg-pkcs11-no-key.c @@ -330,6 +330,9 @@ void doit(void) pid_t child; int status = 0; + if (gnutls_fips140_mode_enabled()) + exit(77); + /* check if softhsm module is loadable */ (void) softhsm_lib(); Index: gnutls-3.7.3/tests/pkcs12_encode.c =================================================================== --- gnutls-3.7.3.orig/tests/pkcs12_encode.c +++ gnutls-3.7.3/tests/pkcs12_encode.c @@ -83,6 +83,9 @@ void doit(void) size_t size; unsigned tests, i; + if (gnutls_fips140_mode_enabled()) + exit(77); + ret = global_init(); if (ret < 0) { fprintf(stderr, "global_init %d", ret); Index: gnutls-3.7.3/tests/pkcs12_s2k_pem.c =================================================================== --- gnutls-3.7.3.orig/tests/pkcs12_s2k_pem.c +++ gnutls-3.7.3/tests/pkcs12_s2k_pem.c @@ -254,6 +254,9 @@ int main(void) size_t i; int ret; + if (gnutls_fips140_mode_enabled()) + exit(77); + global_init(); for (i = 0; i < sizeof(keys) / sizeof(keys[0]); i++) { Index: gnutls-3.7.3/tests/rsa-illegal-import.c =================================================================== --- gnutls-3.7.3.orig/tests/rsa-illegal-import.c +++ gnutls-3.7.3/tests/rsa-illegal-import.c @@ -145,6 +145,9 @@ int check_pkcs8_privkey2(void) void doit(void) { + if (gnutls_fips140_mode_enabled()) + exit(77); + #if NETTLE_VERSION_MAJOR < 3 || (NETTLE_VERSION_MAJOR == 3 && NETTLE_VERSION_MINOR <= 2) /* These checks are enforced only on new versions of nettle */ exit(77); Index: gnutls-3.7.3/tests/slow/cipher-api-test.c =================================================================== --- gnutls-3.7.3.orig/tests/slow/cipher-api-test.c +++ gnutls-3.7.3/tests/slow/cipher-api-test.c @@ -359,8 +359,8 @@ void doit(void) start("aes128-cbc", GNUTLS_CIPHER_AES_128_CBC, 0); start("aes192-cbc", GNUTLS_CIPHER_AES_192_CBC, 0); start("aes256-cbc", GNUTLS_CIPHER_AES_256_CBC, 0); - start("3des-cbc", GNUTLS_CIPHER_3DES_CBC, 0); if (!gnutls_fips140_mode_enabled()) { + start("3des-cbc", GNUTLS_CIPHER_3DES_CBC, 0); start("camellia128-gcm", GNUTLS_CIPHER_CAMELLIA_128_GCM, 1); start("camellia256-gcm", GNUTLS_CIPHER_CAMELLIA_256_GCM, 1); start("chacha20-poly1305", GNUTLS_CIPHER_CHACHA20_POLY1305, 1); Index: gnutls-3.7.3/tests/tls10-cipher-neg.c =================================================================== --- gnutls-3.7.3.orig/tests/tls10-cipher-neg.c +++ gnutls-3.7.3/tests/tls10-cipher-neg.c @@ -65,24 +65,28 @@ test_case_st tests[] = { { .name = "server TLS 1.0: 3DES-CBC (server)", .cipher = GNUTLS_CIPHER_3DES_CBC, + .not_on_fips = 1, .server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.0:%SERVER_PRECEDENCE", .client_prio = "NORMAL:+3DES-CBC" }, { .name = "both TLS 1.0: 3DES-CBC (server)", .cipher = GNUTLS_CIPHER_3DES_CBC, + .not_on_fips = 1, .server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.0:%SERVER_PRECEDENCE", .client_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.0" }, { .name = "client TLS 1.0: 3DES-CBC (client)", .cipher = GNUTLS_CIPHER_3DES_CBC, + .not_on_fips = 1, .server_prio = "NORMAL:+3DES-CBC", .client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.0" }, { .name = "both TLS 1.0: 3DES-CBC (client)", .cipher = GNUTLS_CIPHER_3DES_CBC, + .not_on_fips = 1, .server_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.0", .client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.0" }, Index: gnutls-3.7.3/tests/tls11-cipher-neg.c =================================================================== --- gnutls-3.7.3.orig/tests/tls11-cipher-neg.c +++ gnutls-3.7.3/tests/tls11-cipher-neg.c @@ -65,24 +65,28 @@ test_case_st tests[] = { { .name = "server TLS 1.1: 3DES-CBC (server)", .cipher = GNUTLS_CIPHER_3DES_CBC, + .not_on_fips = 1, .server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.1:%SERVER_PRECEDENCE", .client_prio = "NORMAL:+3DES-CBC" }, { .name = "both TLS 1.1: 3DES-CBC (server)", .cipher = GNUTLS_CIPHER_3DES_CBC, + .not_on_fips = 1, .server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.1:%SERVER_PRECEDENCE", .client_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.1" }, { .name = "client TLS 1.1: 3DES-CBC (client)", .cipher = GNUTLS_CIPHER_3DES_CBC, + .not_on_fips = 1, .server_prio = "NORMAL:+3DES-CBC", .client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.1" }, { .name = "both TLS 1.1: 3DES-CBC (client)", .cipher = GNUTLS_CIPHER_3DES_CBC, + .not_on_fips = 1, .server_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.1", .client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.1" }, Index: gnutls-3.7.3/tests/tls12-cipher-neg.c =================================================================== --- gnutls-3.7.3.orig/tests/tls12-cipher-neg.c +++ gnutls-3.7.3/tests/tls12-cipher-neg.c @@ -173,6 +173,7 @@ test_case_st tests[] = { { .name = "server TLS 1.2: 3DES-CBC (server)", .cipher = GNUTLS_CIPHER_3DES_CBC, + .not_on_fips = 1, .server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE", .client_prio = "NORMAL:+3DES-CBC", .desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(3DES-CBC)-(SHA1)" @@ -180,6 +181,7 @@ test_case_st tests[] = { { .name = "both TLS 1.2: 3DES-CBC (server)", .cipher = GNUTLS_CIPHER_3DES_CBC, + .not_on_fips = 1, .server_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2:%SERVER_PRECEDENCE", .client_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.2", .desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(3DES-CBC)-(SHA1)" @@ -187,6 +189,7 @@ test_case_st tests[] = { { .name = "client TLS 1.2: 3DES-CBC (client)", .cipher = GNUTLS_CIPHER_3DES_CBC, + .not_on_fips = 1, .server_prio = "NORMAL:+3DES-CBC", .client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2", .desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(3DES-CBC)-(SHA1)" @@ -194,6 +197,7 @@ test_case_st tests[] = { { .name = "both TLS 1.2: 3DES-CBC (client)", .cipher = GNUTLS_CIPHER_3DES_CBC, + .not_on_fips = 1, .server_prio = "NORMAL:+3DES-CBC:+VERS-TLS1.2", .client_prio = "NORMAL:-CIPHER-ALL:+3DES-CBC:+CIPHER-ALL:-VERS-ALL:+VERS-TLS1.2", .desc = "(TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(3DES-CBC)-(SHA1)" Index: gnutls-3.7.3/tests/tls13/post-handshake-with-cert-pkcs11.c =================================================================== --- gnutls-3.7.3.orig/tests/tls13/post-handshake-with-cert-pkcs11.c +++ gnutls-3.7.3/tests/tls13/post-handshake-with-cert-pkcs11.c @@ -444,6 +444,9 @@ void doit(void) const char *bin; char buf[128]; + if (gnutls_fips140_mode_enabled()) + exit(77); + /* check if softhsm module is loadable */ (void) softhsm_lib();
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor